What best defines vulnerability in risk management context?

• A. An external threat that can cause loss
• B. Intrinsic properties that create susceptibility to risk
• C. A mitigated control that reduces risk
• D. The likelihood of an event independent of asset characteristics

Answer: (B)

Vulnerability in risk management context refers to the inherent weaknesses or properties of an asset, process, or system that make it susceptible to harm when a threat occurs. It’s about how exposed you are to a potential danger due to design flaws, missing controls, or poor configurations. For example, unpatched software, weak access controls, or insufficient physical barriers are vulnerabilities because they increase the chance a threat can cause damage. A mitigated control reduces vulnerability, but the vulnerability itself is the susceptibility that remains if controls aren’t fully effective. It isn’t an external threat (the event that could cause loss), nor a control, and it isn’t a standalone likelihood that is independent of asset characteristics since susceptibility depends on the asset’s specifics.